(v2.2.0.1) Getting Ready: Prerequisites
- Yajing Wang
Welcome to your first step towards cloud efficiency and savings with Infrastructure Optimizer. By following our setup checklist, you'll enable Infrastructure Optimizer to operate smoothly in your environment.
Environment Prerequisites Overview
Component | Section Link |
---|
Component | Section Link |
---|---|
VPC | |
Certificate | |
IAM Roles | |
EKS Cluster |
Network
Component | Requirements |
VPC |
|
NAT Gateway |
|
Security
Component | Details |
SSH Key |
|
Trusted Certificate |
|
Compute
Component | Requirements |
Operating System |
|
Permissions
We understand that cloud control and security are essential to you. In order to install Infrastructure Optimizer and start saving right away, we need your help to set up the right permissions for Infrastructure Optimizer to operate. For seamless operation and integration with AWS services, the following IAM roles with specific permissions are required:
User IAM Role
This is for users who install and use the product.
Least privilege IAM policies | Explanation |
---|
Least privilege IAM policies | Explanation |
---|---|
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceStatus",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroupRules",
"ec2:CreateTags",
"ec2:DescribeKeyPairs",
"ec2:DescribeImages",
"ec2:DescribeImageAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAccountAttributes",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkAcls",
"ec2:DescribeAddresses",
"ec2:DescribeDhcpOptions",
"ec2:DescribeSnapshots"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::cf-template*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplateSummary",
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudformation:DeleteStack"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:ListRoles",
"iam:TagRole",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:ListPolicies",
"iam:PassRole",
"iam:ListOpenIDConnectProviders",
"iam:GetOpenIDConnectProvider",
"iam:ListEntitiesForPolicy",
"iam:CreateServiceLinkedRole",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:AttachRolePolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters",
"eks:UpdateClusterConfig",
"eks:UpdateClusterVersion",
"eks:CreateNodegroup",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion",
"eks:DescribeAddon",
"eks:DescribeAddonVersions",
"eks:ListAddons",
"eks:UpdateAddon",
"eks:AccessKubernetesApi",
"eks:ListAccessPolicies",
"eks:AssociateAccessPolicy",
"eks:ListIdentityProviderConfigs",
"eks:DescribeAccessEntry",
"eks:ListPodIdentityAssociations",
"eks:ListAssociatedAccessPolicies",
"eks:CreateAccessEntry"
],
"_comment": "Change the below Resource to specific cluster - arn:aws:eks:region:account-id:cluster/cluster-name",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:ListAssociations",
"ssm:GetParametersByPath"
],
"Resource": "*"
}
]
} |
Management Server IAM Role
Controller IAM Role
Worker IAM Role
Â